You can’t have a convention without technology, and you can’t keep computers, tablets, phones and other devices used by attendees at a convention safe without taking steps that protect all those gadgets from cybercriminals.

Even small conventions are sure to see lots of devices in use for all sorts of reasons. A speech or talk given by an expert or executive will likely feature a PowerPoint presentation, music may be played through a computer and participants are sure to be using their phones to email and text.

Keeping conventions safe is a 24/7 aspect of the job for anyone who plans conventions for a living.

“The sheer amount of data transferred and shared between two parties at a convention can be astronomical.”  Attila Tomaschek, Digital Privacy Expert

“Any responsible event organizer should already have a cyber incident response plan in place prior to the start of the convention so that they can follow proper security protocols and limit the scope and negative impact of a potential breach,” says Attila Tomaschek, digital privacy expert for ProPrivacy.com.

He adds that conventions represent a perfect setting for hackers and cyber thieves to infiltrate computers and other gadgets.

“Conventions are a great opportunity for organizations within a specific industry to come together to learn from each other and to share ideas,” Tomaschek says. “They are also, unfortunately, a great opportunity for hackers and other cybercriminals to exploit certain vulnerabilities and steal valuable and sensitive data from organizers and attendees alike.”

Tomaschek notes that larger conventions are often at a greater risk than smaller ones, because with more people networking and sharing information, there are more potential victims for cybercriminals to target.

“The sheer amount of data transferred and shared between two parties at a convention can be astronomical,” he says. “A single entity potentially lacking proper security protections and getting compromised can spell tremendous risks to sensitive personal data ending up in the wrong hands.”

According to Michael Schenck, director of security services for Kaytuso, attendees at conventions often are confident that the host organization is being vigilant about cybersecurity, but that confidence often isn’t earned.

“Convention centers are more dangerous than a midtown Starbucks for cybersecurity,” Schenck says. “The biggest threat is the trust that comes as part of human nature. Conventions are advertised events where everyone is there for a purpose — a common thread. Additionally, people are typically there for social and professional networking, so we are likely to let our guard down. That’s the beginning of it; easy targets and the creation of a target-rich environment. The rest is all the obvious — unprotected systems, rogue Wi-Fi, compromised phone charging stations, HD cameras that could easily be used to record keystrokes, the list goes on.”

Modern-Day Pickpockets

Obviously, theft is not a new concept, and J. Eduardo Campos, founder, president and managing partner of consulting firm, Embedded-Knowledge Inc., says cybercriminals are simply a 21st-century version of a tradition of crooks that dates back hundreds of years.

“Large groups of people gathering for events were usually a target for criminals, from pickpockets to cell phone thieves and purse grabbers,” says Campos, who has decades of experience solving complex programs for global organizations, including as a former Microsoft executive. “Today, cybercriminals joined the ranks of those willing to take advantage of distracted conference attendees, cocktail gadflies and meeting-goers. This new focus is due to the value of the information in their electronic devices — computers, laptops, tablets, and phones — which store a trove of personal sensitive information, such as financial records.”

He adds that surveys indicate these threats are getting worse on a daily basis, with reports of hacking regularly making the news.

“Event planners, as well attendees, are usually non-expert consumers of technology,” says Campos, co-author of “From Problem Solving to Solution Design: Turning Ideas Into Actions.” “Criminals go after this information so that they can use it to enable illicit online financial transactions.”

Another issue according to Campos, is that people aren’t knowledgeable about the security configurations of their devices. Other factors that make it easy for cybercriminals to infiltrate devices are lack of security updates and older gadgets with outdated cybersecurity capabilities.

“Cyber criminals are individuals looking to take advantage of ill-configured electronic devices to steal personal and financial information,” he says. “The ultimate goal is to make money quickly and cleanly, which sometimes involves blackmailing over sensitive pictures, embarrassing emails, or simple ransom — they will lock you out of your computer and will only unlock it after you pay a ransom, which we don’t recommend you to do at all.”

Paul Lipman, CEO of award-winning cybersecurity company BullGuard, says cybercriminals come in all shapes and sizes and all sorts of demographic backgrounds.

“But what they’re looking for is simple — access to personal information and data they can use for malicious purposes, or to extort bitcoins or payment through ransomware, infect computers with malware and other fraudulent purposes such as identity theft, and for financial gain. Cyber criminals can easily take advantage of an unprotected network where there are multiple users connected to the same network.”

He adds that open Wi-Fi networks allow these cybercriminals to distribute malware to anyone who is connected to that network “in the blink of an eye.”

And conventions are attractive targets for these thieves, Lipman says, because many conventions do not require passwords to access the Wi-Fi in use, and if there is a password, it’s often easy to guess or it’s written on papers that are included in brochures or packets given to attendees.

“Any person at the conference — even if they are not an attendee and are just in the lobby or close enough to pick up a Wi-Fi signal — can easily ask an attendee to give them the password — and many attendees would offer it to be friendly,” he says. “They could, in fact, be giving a fraudster or hacker easy access to the network and leaving anyone who is accessing the Wi-Fi open to having their data and other personal information at risk for a potential hack or breach.”

Schenck says just who cybercriminals are could depend on the nature of the convention.

“It could be people looking to make money on ransomware, looking to create or expand a botnet for an unrelated activity, identity thieves, or even espionage — national, economic or industrial,” he says.

Cybercrime Victims

One of the key reasons cybersecurity needs to be a priority when planning a convention is that any participant who uses a device on the convention’s Wi-Fi is a potential target.

“Both attendees and organizers are at risk,” Tomaschek says. “Attendees can easily be tricked into providing personal information to another individual at the event posing as a legitimate business contact. Event organizers are also certainly at a heightened risk of a potential breach simply due to the vast amounts of registration data containing all kinds of personal information that organizers collect from attendees. Such a wealth of data is a gold mine for cybercriminals and therefore needs to be properly protected via the strictest of security protocols.”

Campos says all participants of a convention are at risk, both organizers and attendees, for several reasons, including the value of personal financial records on the black market and the low level of preparedness that exists at many conventions.

“Passwords, financial data, and other sensitive personal information quickly show up on the darknet after a breach, where criminals freely negotiate with the best buyer when not directly engaging in blackmailing the original information owner,” he says. “To prevent attacks that put convention crowds at risk of losing control of their sensitive information, there must be a minimal set of protective measures to promptly detect and thwart cyberattacks.”

The most common tools used are antivirus solutions. However, they are not a silver bullet. Campos had a colleague who had all the security configurations well-done and good antivirus installed, and had his laptop breached anyway. He discovered after the fact that he had been using a compromised Wi-Fi network in his monthly professional gathering, which would download a computer’s antivirus into his device at every connection, disabling his antivirus to begin with.

“My friend had to spend hours cleaning the virus infection of his laptop,” Campos says. “Moreover, he started using a special software called VPN — Virtual Private Network — which protected his connections while using public Wi-Fi, and he never faced any issue again.”

Lipman agrees that the most secure method in protecting information is to use a personal VPN to connect to the internet.

“VPN solutions offer protection across multiple devices, and the cost of protecting them is relatively cents per day,” he says. “It’s actually really simple for hackers to set up a fake malicious network and pretend to be ‘Free SFO Airport Wi-Fi network’ or ‘Starbucks Wi-Fi.’ A personal VPN allows convention attendees to avoid putting themselves at risk while connecting to an unknown network.”

Tomaschek adds that convention organizers should make sure that all of their devices are secured through strong passwords or fingerprint-scanning technology, which protects computers, tablets and phones from unauthorized access.

“Organizers should also ensure that their systems are properly encrypted to secure their data as well as attendee data,” Tomaschek says. “Conference attendees also need to take certain critical precautions when attending a conference and interacting with contacts. Attendees should also ensure that their devices are properly password protected, disable wireless communication features like Bluetooth, connect only to the official trusted Wi-Fi network of the conference, use a VPN to encrypt all online activity and just use common sense and never share any information other than what is necessary.”

Robert Siciliano, a security awareness expert and CEO of Safr.Me, says in general, attendees of a convention are more vulnerable than hosts. “But this might also depend on the country in which the event is being hosted,” he says. “Overseas in Asia, Russia, China or South America, hacking Wi-Fi isn’t just for fun and profit, it is a sport.”

Protect Your Wi-Fi

Any center that hosts conventions is bound to offer free Wi-Fi to organizers and participants of any convention, but an unprotected Wi-Fi network can put users at risk.

“Free, open, unencrypted Wi-Fi invites criminal hacking,” Siciliano says. “It is best to engage in either password-protected encrypted Wi-Fi, or encourage the attendees to enlist a virtual private network software to encrypt and lock down their wireless connection.”

He adds that in addition to cybertheft, convention attendees also should take precautions against the old-fashioned kind of thievery.

“Theft of digital devices left in conference rooms during breaks or lunch is a big problem in a convention environment,” Siciliano says. “Attendees tend to feel that their items are not susceptible to physical theft and put too much reliance on trusting the nonexistent event security.”

Anthony Bustamante, a professor in the cybersecurity management faculty at Tulane University’s School of Professional Advancement, says cybersecurity begins with the most basic of steps, including setting up strong passwords that aren’t taped to your laptop and tablet.

“I’ve walked into banks before where an employee’s username and password into the banking system were on a sticky note where I could see it,” he says.

He adds that all staff working on a convention should be trained on the best practices for cybersecurity, and encouraged to report on suspicious activity.

“The same security principles that you apply as a meeting planner will also apply to your attendees, but one additional option to increase the security of your attendees’ Wi-Fi connection is to incorporate PKI certificates into the Wi-Fi authentication process,” Bustamante says. “Extra steps will be required on the users’ end to ensure they load the certificates into their devices, but it will protect them from connecting to a rogue access point that is pretending to be the real access points.”

Steps for Security

Free Wi-Fi is common in all sorts of places — libraries, coffee shops, hotels, etc. — and while Tomaschek says these networks can easily be infiltrated by cybercriminals, conventions can still offer a free Wi-Fi network to attendees, along with advice as to how participants can protect their gadgets.

“Attendees should feel free to use the provided Wi-Fi network as long as they protect their internet activity and use a VPN whenever they connect to the network,” Tomaschek says.

Schenck suggests following the same steps that are used to secure any computer, such as MFA (Multi-Factor Authentication), hardened configurations, encryption, locking policies and current advanced anti-malware.

“Use a VPN before connecting to anything but a recognized hotspot, or better yet, use a tethered device or mobile hotspot you control,” he says.

Lipman suggests that planners make sure there is a WPA2 (Wi-Fi Protected Access) password on the Wi-Fi network that is being used at the convention. He adds that planners should recommend that all attendees use a virtual private network to add another layer of protections.

“VPNs enable consumers to safeguard their online privacy — flying under the radar and surfing the internet in stealth mode while retaining complete anonymity via military-grade encryption,” Lipman says. “VPN works by hiding a consumer’s origin IP address, preventing others — including ISPs and government organizations — from monitoring their online browsing activity, what websites they visit, what they download or what services and applications they use.”

Furthermore, attendees should be given official convention Wi-Fi login details with regularly updated passwords. One thing they shouldn’t do is assume the first public Wi-Fi that shows up on their device is the proper one.

“To keep themselves even more protected, attendees should be encouraged to use their own personal VPN, like BullGuard VPN, on their laptops, tablets and phones to protect themselves from potential cyberattacks,” Lipman says.

Campos says keeping cybercriminals at bay requires specialized software tools. These include antivirus that shields your device and VPNs to protect your connections to public Wi-Fi.

“Also, it’s important to keep pace with the constant update of the software — such as monthly free Windows updates — and device configurations. This series of steps is also known as ‘cybersecurity hygiene,’” he says.

He suggests creating a daily routine and habits, featuring some simple steps, in addition to updating your antivirus software.

Those steps include being wary of email attachments and web links, especially from senders you don’t know. Also, don’t connect unknown or untrusted storage devices or hardware to your computer or mobile device, for example don’t share USN sticks or external hard drives between suspicious computers or devices. He also says not to download software from an unknown web page, be very careful when you do download files, and use freeware or shareware. Finally, don’t share personal or business information because criminals can impersonate you and send fake emails to your contacts.

In the Event of a Breach

So let’s say a planner is overseeing a convention and it’s going wonderfully. Attendees are communicating, networking, and discovering new ideas that can help their businesses and careers. But then the planner suspects a breach has occurred.

Tomaschek says the first step is to identify and isolate the breach. “In the event of a breach, organizers should also immediately notify attendees of the threat and clearly communicate to them the steps they should take to protect themselves and their devices from the incident,” he says. “Organizers also must communicate to attendees the nature of the incident and exactly what steps they are taking in response to the incident and how it will be resolved.”

Bustamante says a breach at a convention is different from their conventional counterparts at companies, where computer systems reside on one network and use similar computer models and software. “A breach typically results from one system being compromised and an attacker leveraging the trust relationship between this machine and all other internal machines on the network,” he says. “When credentials are stolen, they will likely work across the domain to some extent. Now contrast this with a convention network. Attendees that connect to the centralized network are likely to be running a wide variety of hardware and software. Authentication is not centralized and there is no trust relationship between devices. In the latter scenario it is much more difficult to have a crisis response plan, in which a specialized team is hired to conduct an investigation to determine the nature of the breach.”

At this type of event, the most prudent course of action is to respond quickly and to be as transparent as possible with attendees and vendors about what has transpired, this will allow them the opportunity to take the necessary next steps to protect their assets.

Campos says all attendees should be noted of any potential breach, and that law enforcement should also be contacted. And always collaborate with a cybersecurity expert who can help with these situations. He added that he has worked with clients who experienced breaches.

“It happened because users were not prepared to identify an attack,” Campos says. “They clicked on email attachments that downloaded a virus in several computers. After the fact, they were trained and it never happened again.”

He adds that it all starts with people and the processes that are put in place before any technology is employed.

“Work on user awareness, give step-by-step guidance, and keep a channel open for alerts and their feedback,” Campos says. “In terms of processes, work with an expert to develop a checklist to ensure you have safe Wi-Fi connections, updated devices and the right software to protect your electronic devices and connections.”| AC&F |